Security fix: unauthorized access (#10091)

librenms · Apr 13, 2019 · f4908f4 · f4908f4
1 parent f58d983
commit f4908f4
Show file tree

Hide file tree

Showing 1,300 changed files with 1,437 additions and 1,433 deletions.
diff --git a/LibreNMS/Plugins.php b/LibreNMS/Plugins.php
@@ -101,6 +101,7 @@ public static function start()
      */
     public static function load($file, $pluginName)
     {
+        chdir(Config::get('install_dir') . '/html');
         $plugin = self::getInstance($file, $pluginName);
 
         $class = get_class($plugin);
@@ -112,6 +113,8 @@ public static function load($file, $pluginName)
             }
         }
 
+        chdir(Config::get('install_dir'));
+
         return $plugin;
     }
 
@@ -173,23 +176,23 @@ public static function countHooks($hook)
      */
     public static function call($hook, $params = false)
     {
+        chdir(Config::get('install_dir') . '/html');
         self::start();
 
-        if (empty(self::$plugins[$hook])) {
-            return;
-        }
-
-        foreach (self::$plugins[$hook] as $name) {
-            try {
-                if (!is_array($params)) {
-                    @call_user_func([$name, $hook]);
-                } else {
-                    @call_user_func_array([$name, $hook], $params);
+        if (!empty(self::$plugins[$hook])) {
+            foreach (self::$plugins[$hook] as $name) {
+                try {
+                    if (!is_array($params)) {
+                        @call_user_func([$name, $hook]);
+                    } else {
+                        @call_user_func_array([$name, $hook], $params);
+                    }
+                } catch (\Exception $e) {
+                    Log::error($e);
                 }
-            } catch (\Exception $e) {
-                Log::error($e);
             }
         }
+        chdir(Config::get('install_dir'));
     }
 
     /**

diff --git a/LibreNMS/Util/Graph.php b/LibreNMS/Util/Graph.php
@@ -46,7 +46,7 @@ public static function getSubtypes($type, $device = null)
         $types = [];
 
         // find the subtypes defined in files
-        foreach (glob(base_path("/html/includes/graphs/$type/*.inc.php")) as $file) {
+        foreach (glob(base_path("/includes/html/graphs/$type/*.inc.php")) as $file) {
             $type = basename($file, '.inc.php');
             if ($type != 'auth') {
                 $types[] = $type;

diff --git a/html/ajax_form.php b/html/ajax_form.php
@@ -12,22 +12,19 @@
  * the source code distribution for details.
  */
 
-// FUA
-
 use LibreNMS\Authentication\LegacyAuth;
 
-$init_modules = array('web', 'auth', 'alerts', 'laravel');
+$init_modules = array('web', 'auth', 'alerts');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
-set_debug(isset($_REQUEST['debug']) ? $_REQUEST['debug'] : false);
-
 if (!LegacyAuth::check()) {
-    echo 'unauthenticated';
-    exit;
+    die('Unauthorized');
 }
 
+set_debug(isset($_REQUEST['debug']) ? $_REQUEST['debug'] : false);
+
 if (preg_match('/^[a-zA-Z0-9\-]+$/', $_POST['type']) == 1) {
-    if (file_exists('includes/forms/'.$_POST['type'].'.inc.php')) {
-        include_once 'includes/forms/'.$_POST['type'].'.inc.php';
+    if (file_exists('includes/html/forms/'.$_POST['type'].'.inc.php')) {
+        include_once 'includes/html/forms/'.$_POST['type'].'.inc.php';
     }
 }
diff --git a/html/ajax_list.php b/html/ajax_list.php
@@ -19,18 +19,17 @@
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
 if (!LegacyAuth::check()) {
-    echo "Unauthenticated\n";
-    exit;
+    die('Unauthorized');
 }
 
 set_debug($_REQUEST['debug']);
 
-$type = mres($_REQUEST['type']);
+$type = basename($_REQUEST['type']);
 
-if (isset($type) && file_exists("includes/list/$type.inc.php")) {
+if ($type && file_exists("includes/html/list/$type.inc.php")) {
     header('Content-type: application/json');
 
-    list($results, $more) = include "includes/list/$type.inc.php";
+    list($results, $more) = include "includes/html/list/$type.inc.php";
 
     die(json_encode([
         'results' => $results,

diff --git a/html/ajax_listports.php b/html/ajax_listports.php
@@ -15,13 +15,12 @@
 $init_modules = array('web', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
-set_debug($_REQUEST['debug']);
-
 if (!LegacyAuth::check()) {
-    echo 'unauthenticated';
-    exit;
+    die('Unauthorized');
 }
 
+set_debug($_REQUEST['debug']);
+
 if (is_numeric($_GET['device_id'])) {
     foreach (dbFetch('SELECT * FROM ports WHERE device_id = ?', array($_GET['device_id'])) as $interface) {
         $interface  = cleanPort($interface);

diff --git a/html/ajax_ossuggest.php b/html/ajax_ossuggest.php
@@ -21,7 +21,7 @@
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
 if (!LegacyAuth::check()) {
-    die('Unauthorized.');
+    die('Unauthorized');
 }
 
 set_debug($_REQUEST['debug']);

diff --git a/html/ajax_output.php b/html/ajax_output.php
@@ -23,14 +23,13 @@
     require realpath(__DIR__ . '/..') . '/includes/init.php';
 
     if (!LegacyAuth::check()) {
-        echo "Unauthenticated\n";
-        exit;
+        die('Unauthorized');
     }
 }
 
 set_debug($_REQUEST['debug']);
-$id = str_replace('/', '', $_REQUEST['id']);
+$id = basename($_REQUEST['id']);
 
-if (isset($id)) {
-    require $config['install_dir'] . "/html/includes/output/$id.inc.php";
+if ($id && is_file($config['install_dir'] . "/includes/html/output/$id.inc.php")) {
+    require $config['install_dir'] . "/includes/html/output/$id.inc.php";
 }
diff --git a/html/ajax_rulesuggest.php b/html/ajax_rulesuggest.php
@@ -29,14 +29,14 @@
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
 if (!LegacyAuth::check()) {
-    die('Unauthorized.');
+    die('Unauthorized');
 }
 
 set_debug($_REQUEST['debug']);
 
 /**
  * Levenshtein Sort
- * @param string $base Comparisson basis
+ * @param string $base Comparison basis
  * @param array  $obj  Object to sort
  * @return array
  */

diff --git a/html/ajax_search.php b/html/ajax_search.php
@@ -5,13 +5,12 @@
 $init_modules = array('web', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
-set_debug($_REQUEST['debug']);
-
 if (!LegacyAuth::check()) {
-    echo "Unauthenticated\n";
-    exit;
+    die('Unauthorized');
 }
 
+set_debug($_REQUEST['debug']);
+
 $device = array();
 $ports  = array();
 $bgp    = array();
@@ -24,7 +23,6 @@
         $found = 0;
 
         if ($_REQUEST['type'] == 'group') {
-            include_once '../includes/device-groups.inc.php';
             foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE ?", ["%$search%"]) as $group) {
                 if ($_REQUEST['map']) {
                     $results[] = array(

diff --git a/html/ajax_table.php b/html/ajax_table.php
@@ -18,8 +18,7 @@
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
 if (!LegacyAuth::check()) {
-    echo "Unauthenticated\n";
-    exit;
+    die('Unauthorized');
 }
 
 set_debug($_REQUEST['debug']);
@@ -34,13 +33,11 @@
     }
 }
 
-$searchPhrase = mres($_REQUEST['searchPhrase']);
-$id           = mres($_REQUEST['id']);
+$searchPhrase = $_REQUEST['searchPhrase'];
+$id           = basename($_REQUEST['id']);
 $response     = array();
 
-if (isset($id)) {
-    if (file_exists("includes/table/$id.inc.php")) {
-        header('Content-type: application/json');
-        include_once "includes/table/$id.inc.php";
-    }
+if ($id && file_exists("includes/html/table/$id.inc.php")) {
+    header('Content-type: application/json');
+    include_once "includes/html/table/$id.inc.php";
 }
diff --git a/html/csv.php b/html/csv.php
@@ -12,20 +12,27 @@
  * the source code distribution for details.
  */
 
-$init_modules = array('web', 'auth');
+use LibreNMS\Authentication\LegacyAuth;
+use LibreNMS\Config;
+
+$init_modules = ['web', 'auth'];
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
+if (!LegacyAuth::check()) {
+    die('Unauthorized');
+}
+
 set_debug(strpos($_SERVER['PATH_INFO'], 'debug'));
 
-$report = mres($vars['report']);
-if (!empty($report) && file_exists("includes/reports/$report.csv.inc.php")) {
+$report = basename($vars['report']);
+if ($report && file_exists(Config::get('install_dir') . "/includes/html/reports/$report.csv.inc.php")) {
     if ($debug === false) {
         header('Content-Type: text/csv');
         header('Content-Disposition: attachment; filename="'.$report.'-'.date('Ymd').'.csv"');
     }
 
-    $csv = array();
-    require $config['install_dir'] . "/html/includes/reports/$report.csv.inc.php";
+    $csv = [];
+    require Config::get('install_dir') . "/includes/html/reports/$report.csv.inc.php";
     foreach ($csv as $line) {
         echo implode(',', $line)."\n";
     }

diff --git a/html/data.php b/html/data.php
@@ -19,18 +19,18 @@
     $title  = generate_device_link($device);
     $title .= ' :: Port  '.generate_port_link($port);
     $auth   = true;
-}
 
-$in = snmp_get($device, 'ifHCInOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
-if (empty($in)) {
-    $in  = snmp_get($device, 'ifInOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
-}
+    $in = snmp_get($device, 'ifHCInOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
+    if (empty($in)) {
+        $in  = snmp_get($device, 'ifInOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
+    }
 
-$out = snmp_get($device, 'ifHCOutOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
-if (empty($out)) {
-    $out = snmp_get($device, 'ifOutOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
-}
+    $out = snmp_get($device, 'ifHCOutOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
+    if (empty($out)) {
+        $out = snmp_get($device, 'ifOutOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
+    }
 
-$time = time();
+    $time = time();
 
-printf("%lf|%s|%s\n", time(), $in, $out);
+    printf("%lf|%s|%s\n", time(), $in, $out);
+}
diff --git a/html/graph.php b/html/graph.php
@@ -1,5 +1,4 @@
 <?php
-
 /**
  * LibreNMS
  *
@@ -10,17 +9,24 @@
  * @copyright  (C) 2006 - 2012 Adam Armstrong
  */
 
+use LibreNMS\Authentication\LegacyAuth;
 
 $start = microtime(true);
 
-$init_modules = array('web', 'graphs');
+$init_modules = array('web', 'graphs', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
+$auth = LegacyAuth::check() || is_client_authorized($_SERVER['REMOTE_ADDR']);
+
+if (!$auth) {
+    die('Unauthorized');
+}
+
 set_debug(isset($_GET['debug']));
 
 rrdtool_initialize(false);
 
-require $config['install_dir'] . '/html/includes/graphs/graph.inc.php';
+require $config['install_dir'] . '/includes/html/graphs/graph.inc.php';
 
 rrdtool_close();
 

diff --git a/html/includes/.htaccess b/html/includes/.htaccess
diff --git a/html/includes/graphs/macaccounting/bits.inc.php b/html/includes/graphs/macaccounting/bits.inc.php
diff --git a/html/legacy_api_v0.php b/html/legacy_api_v0.php
@@ -1,5 +1,4 @@
 <?php
-
 /*
  * LibreNMS
  *
@@ -12,10 +11,14 @@
  * the source code distribution for details.
  */
 
+use LibreNMS\Config;
+
 $init_modules = array('web', 'alerts');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
-use LibreNMS\Config;
+if (!Auth::check()) {
+    die('Unauthorized');
+}
 
 $app = new \Slim\Slim();
 
@@ -30,7 +33,7 @@
     $app->add($cors);
 }
 
-require $config['install_dir'] . '/html/includes/api_functions.inc.php';
+require $config['install_dir'] . '/includes/html/api_functions.inc.php';
 $app->setName('api');
 
 $app->notFound(function () use ($app) {